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Multi-agent systems are currently applied to solve complex problems. The security of networks is an eloquent example of 
a complex and difficult problem. A new model-concept Hybrid Sensitive Robot Metaheuristic for Intrusion Detection is 
introduced in the current paper. The proposed technique could be used with machine learning based intrusion detection 
techniques. The new model uses the reaction of virtual sensitive robots to different stigmergic variables in order to keep 
the tracks of the intruders when securing a sensor network. 

Keywords: intrusion detection, sensor network, intelligent agents 



C/3 



> 
(N 

d 

(N 



X 



1. Introduction 

Prevention and detection of intruders in a secure net- 
i work is nowadays a challenging issue. The intrusion detec- 
tion system based on computational intelligence (CI) has 
proved in time to have huge advantages over traditional 
detection systems due to characteristics of CI methods: 
adaptation, fault tolerance, high computational speed etc. 
i It is essential to design efficient Intrusion Detection Sys- 
tems (IDS) especially for open medium networks as wire- 
Aess sensor devices. 

The intrusions could be missue intrusions and anomaly 
intrusions. Missue intrusions are the attacks knowing the 
weak points of a system. Anomaly intrusions are based 
.on observations of normal system usage patterns and de- 
tecting deviations from the given norm. The mentioned 
intrusions are hard to quantify because there are no fixed 
patterns that can be monitored and as a result a more 
fuzzy approach is often required. 

The Intrusion Preventing Systems (IPS) are network 
security appliances that monitor network and/or system 
activities for malicious activities. IPS is a device used 
to block all the unwanted access to the targeted host, to 
remove malicious part of packets and as well it may re- 
configure the network device where an attack is detected 

Social autonomic cooperative colonies as ants, bees and 
others have the capability to coordinate and construct 
complex systems Using their behavior, engineers have 
built real collective robotic systems. The metaheuristics 
based on classes of specialized robots provide feasible solu- 
tions for nowadays complex problems. One of these tech- 
niques is Sensitive Robot Metaheuristic developed by Pin- 
tea et al. [I9L I21II . The sensitive model was introduced and 



explained in [j| 0, [2l[ and used to solve complex problems 
in @, S[2l[. The SRM model was implemented first to 
solve a large drilling problem but it has the potential to 
solve other AP-hard problems including intrusion detec- 
tion. The model ensure a balance between diversification 
and intensification in searching. 

The aim of the current paper is to provide an effective 
stigmergic-based technique for IDS in a sensor network 
graph, that consist of multiple detection stations called 
sensor nodes. The new Hybrid Sensitive Robot Metaheuris- 
tic for Intrusion Detection (HSRM-ID) model uses a col- 
lection of robots endowed with a stigmergic sensitivity 
level. The sensitivity of robots allow them to detect and 
react to different stigmergic variables involving the attacks 
into a secure network. The hybrid model combines ele- 
ments from Sensitive Robot Metaheuristic (SRM) [3] as 
Ant Colony System (ACS) [ijj, autonomous mobile robots 
and the intrusion detection based on emotional ants for 
sensors (IDEAS) 0. 

2. Sensitive Stigmergic Robots 

The metaheuristic Sensitive Robot Metaheuristic (SRM) 
[n| combining the concepts of stigmergic communication 
and autonomous robot search is used to solve AP-hard 
optimization problems. The basic concepts are defined 
and described further in this section, see for more details 
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Definition 1. Stigmergy occurs when an action of an in- 
sect is determined or influenced by the consequences of the 
previous action of another insect. 

Definition 2. Sensitive robots refers to artificial entities 
with a Stigmergic Sensitivity Level (SSL) expressed by a 
real number in the unit interval [0, lj. 



Definition 3. Environment explorers 'robots are sensitive 
robots with small Stigmergic Sensitivity Level (sSSL) with 
the potential to autonomously discover new promising re- 
gions of the search space. 

Definition 4. Environment exploiters robots are sensitive 
robots with high Stigmergic Sensitivity Level (hSSL) em- 
phasizing search intensification. 

An important characteristic of stigmery is that indi- 
vidual behavior modifies the environment, which in turn 
modifies the behavior of other individuals . The SRM 
technique attempts to address the coupling between per- 
ception and action as direct as possible in an intelligent 
stigmergic manner. 

As it is known, robot communication relies on local en- 
vironmental modifications that can trigger specific actions. 
The set of the rules defining actions (stimuli pairs) used by 
a homogeneous group of stigmergic robots defines their be- 
havior and determines the type of structure the robots will 
create (i, 26|. Robot stigmergic communication does not 
rely on chemical deposition as it is for artificial ant-based 
colonies (lo| . A stigmergic robot action is determined by 
the environmental modifications caused by prior actions of 
other robots. The value of quantitative stigmergy modify 
the future actions of robots. Discrete stimulus are involved 
in qualitative stigmergy and the action is switched to a dif- 
ferent action [4, l26f . 

Some real-life applications of the behavior-based ap- 
proach, including autonomous robots, are in data min- 
ing, military applications, industry and agriculture, waste 
management, health care. 

3. Intrusion detection techniques using Artificial 
Intelligence 

At first are introduced the main concepts of IDS fol- 
lowed by a survey of Artificial Intelligence-based existing 
models for computer security. 

3.1. Intrusion Detection System 

Due to increasing incidents of computer attacks, it is 
essential to build efficient intrusion detection mechanisms. 
The definitions of the main concepts related to this domain 
are given in what it follows, see for example pi. Il3j|. 

Definition 5. Intrusion detection technology is a technol- 
ogy designed to monitor computer activities for the purpose 
of finding security violations. 

Definition 6. Intrusion detection system (IDS) is a sys- 
tem that implements intrusion detection technology. 

Definition 7. A security violation of a system is any de- 
liberate activity that is not wanted including denial of ser- 
vice attacks, port scans, gaining of system administrator 
access and exploiting system security holes. 



Definition 8. Intrusion Prevention System (IPS) is ac- 
tive, in-line device in the network that can drop packets 
or stop malicious connection before reaching the targeted 
system. 

IPS is able to detect and prevent attacks but it has 
not deeper detection capabilities of IDS. Neither of Intru- 
sion Detecting System and Intrusion Prevention System 
is capable to provide in depth security. Intrusion Detect- 
ing and Prevention System (IDPS), a combinations of IDS 
and IPS, is a more effective system capable of detection 
and prevention (22|. Based on the placement, the IDPS is 
divided into four classes as follows: 



1. 



a network-based system, which is able to monitor 
traffic of network or its particular segment and iden- 
tify different network attacks. 

An example of network-based system is Snort 



14] 



Snort is an open source network intrusion prevention 
and detection system - nowadays a standard for IPS - 
that combines the benefits of signature, protocol and 
anomaly-based inspection. A number of problems 
associated with Network-based system according to 
are: 

— they cannot fully detect novel attacks; 

— variations of known attacks are not fully de- 
tected; 

— they generate a large amount of alerts, as well 
as a large number of false alerts; 

— the existing IDS is focus on low-level attacks or 
anomalies and do not identify logical steps or 
strategies behind these attacks. 

2. host-based systems describe the class of software able 
to monitor a single system, analyse characteristics 
and log to at one host. These systems are deployed 
on critical hosts. 

3. wireless-based systems analyse wireless traffic to mon- 
itor intrusion or any suspicious activity. They scan 
traffic but are not able to identify attack in the ap- 
plication layer or higher layer network protocols as 
UDP and TCP. It may be deployed at the point 
where unauthorized wireless network could be ac- 
cessed. 

4. behavior-based systems are used for examining net- 
work traffic in order to identify attacks (e.g. Denial 
of Service attacks). These systems are deployed to 
monitor flow of network or flow between internal and 
external network. 

3.2. Artificial Intelligence in Intrusion Detection System 
The current paper deals with an artificial intelligent 
approach for intrusion detections. A short review of the 
main A I techniques already used and their benefits for 
detecting intrusion in network systems follows. 
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According to Beg et al. 0, the intrusion detection 
classical algorithms have the following disadvantages: false 
alarm rate and constant updates of database with new sig- 
natures. The network administrator responds to alarms 
and updates the signatures that increases in time. For 
example, in the already mentioned Snort signatures in- 



creased from 1500 to 2800 over two years [14|. In order 
to improve the administrator work, reducing the number 
of false alarms and better intrusion detection are intro- 
duced artificial intelligence mechanisms 23]. Some of Al 
techniques used in intrusion detection are data mining, 
genetic algorithm, neural network, multi-agents, ant-net 
miner, etc. 

Lee et al. [15| introduced a data mining classification 
mechanism with association rules from the audit data - 
knowledge present in a knowledge base - providing gaudi- 
ness for data gathering and feature selection. In order to 
detect abnormal behavior one can use genetic algorithms, 
see for example [l| . In [18J , neural networks use back prop- 
agation MLP for a small network in order to detect anoma- 
lies and identify user profiles after end of each log session. 

It shall also be remarked that several of the leading 
methods for detecting intrusions and detecting intrusions 
are hybrid artificial approaches, which combine different 
Al solution techniques @, 0, 25 1. Some hybrid meth- 
ods used in the literature are data mining and fuzzy logic 
techniques [l6| , data mining and genetic algorithm select- 
ing the best rules for the system [9(. In the future could 
be implemented hybrid models involving intelligent evolu- 
tionary agents [12j and dynamic decision boundary using 
Support Vector Machine [24j for handle a large number of 
features. 

Banerjee et al. 0] introduced an intrusion detection 
based on emotional ants for sensors (IDEAS), which could 
keep track of the intruder trials. This technique is able to 
work in conjunction with the conventional machine learn- 
ing based intrusion detection techniques to secure the sen- 
sor networks. 

4. Hybrid Sensitive Robot Metaheuristic for In- 
trusion Detection 

In this section we introduce a new hybrid metaheuristic 
in order to detect the intruders in a sensor network. The 
new model is called Hybrid Sensitive Robot Metaheuristic 
for Intrusion Detection (HSRM-ID), is based on Sensitive 
Robot Metaheuristic (SRM) introduced in [l9[ and uses a 
specific rule in order to generate a state of thinking or the 
choice of an intruder 0]. 

The proposed (HSRM) can be modelled using two dis- 
tinct groups of sensitive stigmergic robots. The first group 
of robots-agents is endowed with small sensitive values SSL 
and they are sensitive-explorers (sSSL: small SSL-robots). 
They can sustain diversification in intruders searching. In 
the second group are the robots-agents with high sensi- 
tive stigmergic values {hSSL: high SSL-robots). They are 



sensitive-exploiters and could exploit intensively the re- 
gions already identified with attacks from intruders. In 
time, based on the experience of robots-agents, the sensi- 
tive stigmergic level SSL can increase or decrease. 

The pseudo-code description of the Hybrid Sensitive 
Robot Metaheuristic for Intrusion Detection is described 
in what it follows. 

Algorithm 1 Hybrid Sensitive Robot Algorithm for In- 

trusion Detection 

Set parameters; initialize stigmergic values of the trails; 
for k=l to m do 

Place robot k on a randomly chosen node of a sensor 
network; 

for i=l to Niter do 

Each robot incrementally builds a solution based on 
the autonomous search sensitivity; 

The sSSL robots choose the next node based on the 
attack probability (1); 

A hSSL-robot uses the information supplied by the 
sSSL robots to chose the new node (2); 

Apply a local stigmergic updating rule (3); 
Apply the rule generating a state of thinking or the 
choice of an intruder (4): 

A global updating rule is applied (5); 
Validate the path and detect intruder; 
end for 
end for 

The stigmergic value of an edge is r and the visibility 
value is rj. A tabu list with the already visited nodes is 
maintained, see (Iol | for more details. In order to divide 
the colony of m robots in two groups it is used a random 
variable uniformly distributed over [0, 1]. 
Let q be a realization of this random variable and go a 
constant < qq < 1. If the inequality q > qo stands the 
robots are endowed with small sensitive stigmergic value 
sSSL robots and otherwise they are highly sensitive stig- 
mergic robots (hSSL). A hSSL-robot uses the information 
supplied by the sSSL robots. 

In order to define the rule to generate a state of think- 
ing or the choice of an intruder we use the same notations 
as in Banerjee et al. Q: 

• A(I, s, t) denotes the tendency of an intruder / to be 
assigned to the sensor node s at moment t. 

• Ii(intruder\)JJ{I , s,i) is the potential to generate 
the state of choice to a particular path in the network 
sensor graph. 

• I-C(I, s, t) is the intensity of the attack, 

• f-C(.) is a function specific of the thinking of in- 
truder 

• T_c(I, t) is the threshold value. 

The new hybrid model (HSRM-ID) for identifying the 
affected path of a sensor network graph is described fur- 
ther. 
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• Initially the SSL robots are placed randomly in the 
network space. The parameters of the algorithm are 
initialized. 

• A SSL robot chooses the next move with a proba- 
bility based on the distance to the candidate node 
and the stigmergic intensity on the connecting edge. 
In order to stop the stigmergic intensity increasing 
unbounded each time unit evaporation takes place. 

• Let i be the current node. The next node is chosen 
probabilistically. Let J k i be the unvisited successors 
of node i by robot k and u £ J j. As in Ant Colony 
System technique [10( the probability of choosing the 
next node u, possible to be attacked, is shown in JT]). 

w iu {t)][ mu {t)Y 



PiuW = 



■ J oeJ k i 



(1) 



where (3 is a positive parameter, n u (t) is the stigmer- 
gic intensity and r\i U (t) is the inverse of the distance 
on edge (i, u) at moment t. 

The new node j is choose by hSSL robots using @: 
j = argmax aeJ h{T iu (t)[r] iu (t)f}, (2) 

where /3 determines the relative importance of stig- 
mergy versus heuristic information. 

Update trail stigmergic intensity by local stigmergic 
rule ©: 



,(* + !) 



(t) + (1 - <z ) 2 • r . 



(3) 



where are the edges belonging to the most suc- 
cessful traversing across sensor nodes. 

Equation (0| illustrates the rule to generate a state 
of thinking or the choice of an intruder Q ■ 



If I.C(I, s, t) = I_C(I, s, t) - T_C(I, t) 
then LC(l,s,t) > IjC{l,t) 

else lJC(I,s,t) =0. (4) 

• A global updating rule is applied Q as in (J5J) and is 
used a tabu list where to store the track and edge 
details. 

k 

nj (t + 1) = qln^t) + (1 - q ) 2 ■ A^Ty(t), (5) 

J=l 

where 

/(s J ) if s J contributes to 



AsH, 







otherwise 



(6) 



and where go is the evaporation rate, As^r^ is the 
combination of a solution s 3 with the update for 
pheromone value rij; f(s J ) is the function specific 
to the thinking of the intruder and k is the number 
of solution used for updating the pheromones. 



Table 1: Analyze the action of agents- robots based on the pheromone 
level on the edges of the sensor network graph. 
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• Update the intensity of attack value I-C(I, s, t) through 
validating the path and detect intruder. 

The output of the algorithm is the most affected path of 
a sensor network with n nodes. Termination criteria is 
given by the number of iterations, denoted by Nu er . The 
complexity of the proposed algorithm is 0{n 2 ■ m ■ Ni ter )- 

5. The analyze of the new concept 

In the following is performed an analyze of the Hybrid 
Sensitive Robot Algorithm for Intrusion Detection. The 
artificial pheromone from the edges of the sensor network 
graph reveals as the attacked zone within the network. 
Each bio-inspired robot uses his one specific properties as 
his level of sensitivity in order to detect the intruders and 
the artificial stigmergy in order to find the attacked edges. 
Table 1 illustrates the behavior of different groups of sensi- 
tive bio-inspired virtual robots when investigate the sensor 
network in search of intrusion. As a concept, the intro- 
duced model Hybrid Sensitive Robot Algorithm for Intru- 
sion Detection has more chances to improve the intrusion 
detection systems comparing with the existing approaches 
from the literature, due to the sensitivity property of the 
bio-inspired robots. As well the diversity of robots groups 
implies also different values of virtual pheromone trail val- 
ues. The robots with small stigmergic value are constantly 
sustaining diversification in intruders searching and as a 
complementary action, the robots with high sensitive stig- 
mergic values are testing the already identified networks 
attacked regions. In the future we will perform numeri- 
cal experiments to assess the performance of the proposed 
algorithm. 
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6. Conclusions 

Nowadays the networks are threatened by security at- 
tacks and resource limitations. In order to deal with this 
security network problem efficient intruders detection and 
prevention systems are used. Within this paper we in- 
troduce a new concept Hybrid Sensitive Robot Algorithm 
for Intrusion Detection based on bio-inspired robots. It 
is used a qualitative stigmergic mechanism, each robot is 
endowed with a stigmergic sensitivity level facilitating the 
exploration and exploitation of the search space. In the 
future some computational tests will be proposed and fur- 
ther hybrid AI techniques will be involved for securing the 
networks. 
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